Blank Digital Signatures

Transcription

1 Blank Digital Signatures Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology (TUG), Inffeldgasse 16a, 8010 Graz, Austria {christian.hanser Abstract. In this paper we present a novel type of digital signatures, which we call blank digital signatures. The basic idea behind this scheme is that an originator can define and sign a message template, describing fixed parts of a message as well as multiple choices for exchangeable parts of a message. One may think of a form with blank fields, where for such fields the originator specifies all the allowed strings to choose from. Then, a proxy is given the power to sign an instantiation of the template signed by the originator by using some secret information. By an instantiation, the proxy commits to one allowed choice per blank field in the template. The resulting message signature can be publicly verified under the originator s and the proxy s signature verification keys. Thereby, no verifying party except the originator and the proxy learn anything about the unused choices from the message template given a message signature. Consequently, the template is hidden from verifiers. We discuss several applications, provide a formal definition of blank digital signature schemes and introduce a security model. Furthermore, we provide an efficient construction of such a blank digital signature scheme from any secure digital signature scheme, pairing-friendly elliptic curves and polynomial commitments, which we prove secure in our model. Finally, we outline several open issues and extensions for future work. Keywords: Digital signature scheme, blank digital signatures, elliptic curves, pairings, polynomial commitments 1 Changes to the AsiaCCS 13 Proceedings Version The construction of the BDSS has been greatly simplified. This makes the construction much more intuitive, enhances the performance significantly, reduces the size of the public parameters and allows the use of an indistinguishability notion for the privacy property. The privacy property has been restated to an indistinguishability style security game. This version incorporates full security proofs and uses explicit reductions in the security proofs (whenever appropriate). 2 Introduction Digital signatures provide the means to achieve source authentication and data integrity for digital messages in a publicly verifiable way meaning that at signing time a signer commits himself to a concrete message. In this paper, we propose the novel concept of a blank digital signature scheme. Here, an originator can define and sign a message template, describing fixed parts of a message as well as several choices for exchangeable parts of a message (one may think of a form with blank fields, where for such fields the originator specifies all the allowed strings to choose from), for which he can delegate signing permissions to a proxy. This proxy is given the power to sign template instantiations of the template given by the originator by using some secret information. The resulting message signature can be publicly verified under the originator s and the proxy s signature verification keys. Thereby, no verifying party except the originator and the proxy learn anything about the unused choices from the message template and, consequently, about the template when given a message This is a major revision of the version of the AsiaCCS 13 paper.

2 signature. In order to construct such a scheme it is helpful to look at existing variants of digital signature schemes to figure out, whether they can be used to instantiate blank digital signatures. Conventional digital signatures require the signer to be available during signature creation, e.g., when a contract is signed. To overcome this limitation, the concept of proxy signatures [14] has been introduced. Basically, a proxy signature scheme allows an entity (the delegator) to delegate his signing capabilities to another entity (the proxy) that can then construct signatures on behalf of the delegator. This concept has seen a considerable amount of interest since then [5]. Surprisingly, only quite recently a suitable security model for proxy signatures has been introduced [4], and been extended to multi-level and identity-based proxy signature schemes later on [17]. Since in a practical application, the delegator may not want to give the proxy the power to sign any message on behalf of the signer, the delegation by warrant [14] approach was proposed. Here, a signed warrant is used to describe the delegation. Thereby, any type of security policy may be included in the warrant to describe the restrictions under which the delegation is valid. This approach seems to be particularly attractive and received the most attention, since the designator can define a message space for which he delegates his signing rights. In state of the art schemes [17,5], a warrant consists of the description ω of the message space for which signing is being delegated, together with a certificate, which is a signature on ω under the delegators private signing key. We are given a similar requirement and, consequently, could ask whether proxy signatures can be used in this setting. In proxy signatures, this warrant is an abstract description, which could, for instance, be a context-free grammar, a regular expression, or as in [4], the description of a polynomial-time Turing machine computing the characteristic function of all potential messages, i.e., given a message to decide, whether the message is covered by ω or not. However, in proxy signatures the proxy is allowed to sign arbitrary messages from this abstract message space with the downside that the verifier learns the entire message space. Consequently, our requirement that the proxy can sign instantiations of a template without a verifier learning the corresponding template can not be realized by using existing proxy signature schemes. Conventional digital signature schemes do not allow alterations of a signed document without invalidating the signature. Since it may be valuable to have the possibility to replace or remove (specified) parts of a message after signature creation such that the original signature stays valid (and no interaction with the original signer is required), redactable [19,11] as well as sanitizable signature schemes [1] have been introduced. Signature schemes, which allow removal of content (replacement by some special symbol ) by any party are called redactable [19,11], while signature schemes allowing (arbitrary) replacements of admissible parts by a designated party are called sanitizable signature schemes [1], cf. [16] for a comparison. As in our setting, the proxy should be allowed to choose from a list of predefined replacements for designated parts of the message, one could ask whether redactable or sanitizable signatures can be used in this setting. Since in redactable signature schemes any party is allowed to modify signed messages by removing message parts, such signature schemes are obviously not compatible with our requirements. The original concept of sanitizable signatures [1] allows designated sanitizers to replace designated parts of a message. However, here the sanitizer does not have the role of a proxy meaning that it does not sign the modified message. Furthermore, a sanitizer can replace the designated parts with arbitrary strings, which is clearly not meeting our requirements. The concept of sanitizable signatures was later on extended to allow only permitted replacements [13], yet, the Bloom filter [3] based construction does not meet cryptographic security requirements and the cryptographic accumulator [2] based approach [13,7] allows to securely restrict replacements. Yet, both approaches are not designed and also do not support the hiding of the set of accumulated values (allowed replacements) and, thus, are not suitable for our construction. To sum this up, our concept has more in common with proxy signatures than with sanitizable signatures. This is due to our requirements that the signature of the originator is not publicly verifiable as it is the case in sanitizable signatures and only instantiations can be publicly verified as it is the case for proxy signatures. 2.1 Contribution Since, however, none of the existing concepts covers all our requirements, we propose the novel concept of a blank digital signature scheme. Here, an originator, i.e., the signer delegating signing

3 permissions, can define and sign a message template, describing fixed parts of a message as well as several choices for exchangeable parts of a message. One may think of a form with blank fields, where for such fields the originator specifies all the allowed strings to choose from. Then, a proxy is given the power to sign template instantiations of the template given by the originator by using some secret information. The resulting message signature can be publicly verified under the originator s and the proxy s signature verification keys. Thereby, no verifying party except the originator and the proxy learn anything about the unused choices from the message template and, consequently, about the template given a message signature. Since this setting is quite different from the security requirements of proxy signatures and sanitizable signatures, most importantly, the template should be hidden from verifiers, we define a novel type of signature scheme along with a suitable security model. Similar to proxy signatures and sanitizable signatures, we require a public key infrastructure meaning that the originator and proxy are in possession of authentic signing keys. Moreover, since we use polynomial commitments in our construction, we need the parameters to be generated by a trusted third party. A naive approach to realize blank digital signatures is that the originator produces n signatures for all n possible instantiations together with the public key of the proxy using a standard digital signature scheme, whereas the proxy simply signs the originator s signature for the chosen instantiations. However, the number of signatures issued by the originator would then be O(n), which gets impractical very soon with increasing number of choices in exchangeable parts. By using randomized Merkle hash trees [15] as in redactable signatures, the number of signatures of the originator could be reduced to O(1), whereas the signature of the proxy would then, however, be of size O(log n). At first glance, this may seem attractive, yet in Section 6.3 we illustrate that this approach also becomes soon impractical with an increasing number of choices. In our construction, the number of signatures of the originator is O(1), whereas the size of both signatures, of the originator and the proxy, are also O(1) and, in particular, very small and constant. Clearly, this is far more appealing than the aforementioned naive approaches. 2.2 Outline In Section 3, we sketch some application scenarios for blank digital signatures. Section 4 discusses the mathematical and cryptographic preliminaries. Then, in Section 5 we introduce the notion of blank digital signatures and the corresponding security model. A construction of a blank digital signature scheme along with its security proof and a comparison to the naive approaches are given in Section 6. Finally, Section 7 concludes the paper and lists open issues for future work. 3 Applications Here, we sketch some application scenarios which we envision for this novel type of digital signatures. Partially blank signed contracts: Suppose a person is willing to sign a contract under certain predefined conditions, e.g., set of potential prices, range of possible contract dates, but is not able to sign the contract in person. Then, this person can elegantly delegate this task to another semitrusted party, e.g., his attorney, by using blank digital signatures. The third party is then able to conclude the contract on behalf of his client. The client can do so by defining a contract template thereby leaving certain positions blank, i.e., defining certain potential choices for the position without committing to one, and signing the template. Then, at a later point in time, the attorney is able to fill in the gaps by choosing from predefined choices, whereas the original signature of the client remains valid, and then signing the resulting contract as a proxy. Sanitizable signatures: We may interpret exchangeable parts of message templates as replacements (with a potentially empty string) and, thus, can achieve a scheme with similar capabilities, but different meaning and strength as a non-interactive publicly accountable sanitizable signature

4 scheme [6] 1, which supports controlled replacements [7,13]. Note that such a sanitizable signature scheme does not yet exist. However, there are some key differences. In contrast to sanitizable signatures, our template signature is not intended to be publicly verifiable, i.e., can only be verified by the proxy and, thus, the originator does not commit to a concrete instantiation of the template. Furthermore, in blank digital signatures, the allowed replacements are hidden, which is not supported by sanitizable signatures allowing such replacements [7,13]. Consequently, blank digital signatures may be seen as signature schemes supporting sanitizing capabilities, but are a different concept as it is clear from the differences mentioned above. 4 Preliminaries In this section we firstly provide an overview of required mathematical and cryptographic preliminaries. 4.1 Mathematical Background An elliptic curve over the finite field F q equation: is a plane, smooth curve described by the Weierstrass E : Y 2 + a 1 XY + a 3 Y = X 3 + a 2 X 2 + a 4 X + a 6, (1) where a 1, a 2, a 3, a 4, a 6 F q. The set E(F q ) of points (x, y) F 2 q satisfying Equation (1) plus the point at infinity, which is the neutral element, forms an additive Abelian group, whereas the group law is determined by the chord-and-tangent method [18]. Let G be a cyclic group and p be a divisor of its group order, then there exists a subgroup of order p, which we subsequently denote by G[p]. Definition 1 (Bilinear Map). Let G 1, G 2 and G T be three cyclic groups of the same prime order p, where G 1, G 2 are additive groups and G T is a multiplicative group. We call the map e : G 1 G 2 G T a bilinear map or pairing, if the following conditions hold: Bilinearity: For all P 1, P 2 G 1 and P 1, P 2 G 2 we have: e(p 1 + P 2, P ) = e(p 1, P ) e(p 2, P ) for all P G 2, e(p, P 1 + P 2) = e(p, P 1) e(p, P 2) for all P G 1. Non-degeneracy: If P is a generator of G 1 and P a generator of G 2, then e(p, P ) is a generator of G T, i.e., e(p, P ) 1 GT. Efficiently computable: e can be computed efficiently. If G 1 = G 2, then e is called symmetric and asymmetric otherwise. The former type is also called Type-1 pairing, whereas in case of the latter we distinguish between Type-2 and Type-3 pairings. For Type-2 pairings there is an efficiently computable isomorphism Ψ : G 2 G 1 [8] and for Type-3 pairings such an efficiently computable isomorphism does not exist. In our setting, G 1 and G 2 are p-order elliptic curve group over F q and G T = F q k [p], which is an order p subgroup of F q k. Note that k, the so called embedding degree, is defined as k = min{l N : p q l 1}. A function ɛ : N R + is called negligible if for all c > 0 there is a k 0 such that e(k) < 1/k c for all k > k 0. In the remainder of this paper, we use ɛ to denote such a negligible function. Definition 2 (Discrete Logaritm Problem (DLP)). Let p be a prime of bitlength κ, G be a group of order p and α R Z p. Then, for every PPT adversary A Pr (A(P, αp ) = α) ɛ(κ). 1 In such a sanitizable signature scheme, when given a signature anybody can verify, whether a modification has been conducted by the original signer or the sanitizer without interacting with any party.

5 If G is an elliptic curve group, we call the corresponding DLP elliptic curve discrete logarithm problem (ECDLP). Definition 3 (t-strong Diffie Hellman Assumption (t-sdh)). Let p be a prime of bitlength κ, G be a group of order p, α R Z p and let (P, αp, α 2 P,..., α t P ) G t+1 for some t > 0. Then, for every PPT adversary A ( ( )) Pr A(P, αp, α 2 P,..., α t 1 P ) = c, α + c P ɛ(κ) for any c Z p \ { α}. 4.2 Digital Signatures Here, we briefly recall the definition of a standard digital signature scheme. Definition 4 (Digital Signature Scheme). A digital signature scheme DSS is a tuple (DKeyGen, DSign, DVerify) of polynomial-time algorithms: DKeyGen(κ) : Is a key generation algorithm that takes as input a security parameter κ N and outputs a private (signing) key dsk and a public (verification) key dpk. DSign(M, dsk) : Is a (probabilistic) algorithm taking input a message M {0, 1}, a private key dsk and outputs a signature σ. DVerify(σ, M, dpk) : Is a deterministic algorithm taking input a signature σ, a message M {0, 1}, a public key dpk and outputs a single bit b {true, false} indicating whether σ is a valid signature for M. Furthermore, we require the digital signature scheme to be correct, i.e., for all (dsk, dpk) KeyGen(κ) and all M {0, 1}, DVerify(DSign(M, dsk), M, dpk) = true must hold. A digital signature scheme is secure, if it is existentially unforgeable under adaptively chosen-message attacks (UF-CMA) [10]. Note that in practice, the sign and verify algorithms will typically use a hash function to map input messages to constant size strings, which is also known as the hash-then-sign paradigm. 4.3 Polynomial Commitments In [12], Kate et al. introduced the notion of constant-size polynomial commitments. The authors present two distinct commitment schemes, whereas one is computationally hiding (PolyCommit DL ) and the other is unconditionally hiding (PolyCommit Ped ). For our scheme, we are using an unconditionally hiding and computationally binding variant of PolyCommit DL for reducible, monic polynomials. The constructions of [12] use an algebraic property of polynomials f(x) Z p [X]. Namely, that (X λ) perfectly divides the polynomial f(x) f(λ) for λ Z p : Now, we briefly present the PolyCommit DL construction of [12]. Setup(κ, t): Pick two groups G, G T of the same prime order p (with p being a prime of bitlength κ) having a symmetric pairing e : G G G T such that the t-sdh assumption holds. Choose a generators P G and α R Z p and output ppk = (G, G T, p, e, P, αp,..., α t P ) as well as psk = α. Commit(ppk, f(x)): Given f(x) Z p [X] with deg(f) t and compute the commitment C = f(α)p G and output C. Open(ppk, C, f(x)): Output f(x). Verify(ppk, C, f(x)): Verify whether C = f(α)p holds and output true on success and false otherwise. 2 2 Subsequently, we use f(α)p as short-hand notation for deg(f) i=0 f (i) (α i P ), although f(α) as such can only be evaluated in case of a trapdoor commitment, i.e., with α known.

6 CreateWit(ppk, f(x), γ): Compute φ(x) = f(x) f(γ) X γ and W γ = φ(α)p and output (γ, f(γ), W γ ). VerifyWit(ppk, C, γ, f(γ), W γ ): Verify that f(γ) is the evaluation of unknown f at point γ. This is done by checking whether e(c, P ) = e(w γ, αp γp ) e(f(γ)p, P ) holds. Output true on success and false otherwise. A polynomial commitment scheme is secure if it is correct, polynomial binding, evaluation binding and hiding (cf. [12]). The above scheme can be proven secure under the t-sdh assumption in G, as long as t < 2 κ. For the proof we refer the reader to [12]. Notice that α must remain unknown to the committer (and thus the setup has to be run by a trusted third party), since, otherwise, it would be a trapdoor commitment scheme. Moreover, we note that we do not need the algorithms CreateWit and VerifyEval in our construction, since we do not need to prove valid evaluations of the polynomial f(x) without revealing the polynomial itself. 5 Blank Digital Signatures In this section we introduce the notion of blank digital signatures as well as the according security model. As a prerequisite we first need to introduce representations and encodings for message templates and template instantiations. 5.1 Template and Message Representation In the following we introduce a representation for message templates. A message template T describes all potential template instantiations that correspond to a single template. More formally, a message template is defined as follows. Definition 5 (Message Template). A message template T is a sequence of non-empty sets T i = {M i1,..., M il } of bitstrings M ij and uniquely identified by id T. If the size of T i is one, then the set T i is called fixed element of T and exchangeable element otherwise. The set of all message templates is denoted by T. An exchangeable element T i represents allowed substitutions, i.e., T i can be replaced by any of its elements M ij in order to obtain an instantiation of the template. Let n be the sequence length of T, then n is called length of template T. Finally, with T we denote the size of template T, that is T = n i=1 T i. Definition 6 (Template Instantation). A template instantiation M of some template T = (T i ) n i=1 is derived from T as follows. For each 1 i n choose exactly one element M i T i and set M = (M i ) n i=1. A template instantiation M is called valid, which we denote by M T, if it represents choices that were intended by the originator of template T. Furthermore, we use M T = {M : M T } to denote the set of all possible template instantiations of a template T. A message template T is called trivial if it does not contain any exchangeable elements. Note that this implies T = n, and minimal if no two fixed elements are adjacent. The minimal property guarantees that the number of fixed elements is kept minimal. The complement of the template instantiation M denoted as M is a sequence of sets of bitstrings and represents all unused choices in the exchangeable elements, that is M = (T i \ {M i }) n i=1 for an instantiation M = (M i ) n i=1 of T = (T i) n i=1. Now, we give a short example to illustrate our concept. Example 1. Let T = (T 1, T 2, T 3 ) with

7 T 1 = { I, hereby, declare to pay }, T 2 = { 100$, 120$, 150$ } and T 3 = { for this tablet device. }. Here, T 1 and T 3 are fixed elements and T 2 is an exchangeable element with three choices. A template instantiation could, for instance, be M = ( I, hereby, declare to pay, 120$, for this tablet device. ). The complement of template instantiation M is then M = (, { 100$, 150$ }, ). In the following, we define encodings of templates and template instantiations, for which we use polynomials in the Euclidean ring Z p [X]. This allows us to perform polynomial division with remainder, which is essential to our construction. Definition 7 (Template Encoding). Let T =(T i ) n i=1 be a message template and H : {0, 1} Z p be a full-domain cryptographic hash function. A template encoding function t : T Z p [X] is defined as follows: n ( T X H(M idt i) ). i=1 M T i The evaluation t(t ) results in a so-called template encoding polynomial t T Z p [X] of degree T. Note that the degree of the resulting polynomial needs to be bounded by 2 κ, as otherwise the security of the polynomial commitment scheme is no longer guaranteed. However, this has no impact in practice, since the polynomial can only be created by a polynomial time algorithm. Definition 8 (Message Encoding). Similar to Definition 7, a message encoding function m T : M T Z p [X] with respect to a message template T is defined as follows: M n (X H(M i id T i)), i=1 where M = (M i ) n i=1 is an instantiation of T = (T i) n i=1. We call m M = m T (M) Z p [X] message encoding polynomial. Furthermore, we define the complementary message encoding function m T : M T Z p [X]: n ( M X H(M idt i) ). i=1 M (T i\{m i}) We call m M = m T (M) = ( t T m M ) Z p [X] the complementary message encoding polynomial of m M with respect to template T. In the following, we consider all polynomials to be expanded. To do so, we assume that an algorithm Exp, which carries out the polynomial expansion, is applied implicitly to all polynomials. Typically, a template instantiation M = (M i ) n i=1 T will be mapped to a single bitstring M = M 1... M n. We denote the mapping leading from M to M by λ(m, I) = M, where I = ( M i ) n i=1 is a descriptional sequence holding the lengths of the n elements of M as given by template T. For sake of simplicity, we consider all templates to be non-trivial as well as minimal and do not differentiate between a template instantiation M and its corresponding bitstring M. 5.2 Blank Digital Signature Scheme Now, we are able to formally define what we mean by a blank digital signature scheme. Definition 9 (Blank Digital Signature Scheme). A blank digital signature scheme BDSS consists of a tuple (KeyGen, Sign, Verify T, Inst, Verify M ) of polynomial-time algorithms:

8 KeyGen(κ, t): This probabilistic algorithm gets the security parameter κ N and a value t N specifying the maximum template size. It generates public parameters pp and returns them. Sign(T, pp, dsk O, dpk P ): This probabilistic algorithm takes a message template T, the public parameters pp, the originator s signing key dsk O, the proxy s verification key dpk P and outputs a template signature σ T and a template dependent private key for the proxy sk T P. Verify T (T, σ T, pp, dpk O, sk T P, dpk P): This deterministic algorithm takes a template T, its signature σ T, the public parameters pp, the originator s signature verification key dpk O, the private key of the proxy sk T P, and the proxy s verification key dpk P. It outputs a bit b {true, false} indicating whether σ T is a valid signature for T. Inst(T, M, σ T, pp, sk T P, dsk P): This probabilistic algorithm takes a template T, an instantiation M, a template signature σ T, the public parameters pp, the private key of the proxy sk T P, the signing key dsk P of the proxy and outputs a message signature σ M. Verify M (M, σ M, pp, dpk P, dpk O ): This deterministic algorithm takes a template instantiation M of T, the signature σ M, the public parameters pp, the signature verification key of the proxy dpk P, and the signature verification key of the originator dpk O. It outputs a bit b {true, false} indicating whether σ M is a valid signature for M T. 5.3 Security Definitions In the following, we define the security properties a blank digital signature scheme needs to satisfy in order to be secure. Therefore, we start with a brief overview of the required properties. Correctness: The scheme must be correct in terms of signature correctness, signature soundness and instantiation correctness, i.e., both template and message signatures are accepted when valid and template signatures of the originator are binding. Unforgeability: No entity without knowledge of the signing keys dsk O, dsk P and sk T P should be able to forge template or message signatures. This is analogous to the security of traditional digital signatures. Immutability: The proxy having access to sk T P and dsk P, when given a template signature σ T for template T should not be able to forge template or message signatures. Privacy: No entity without knowledge of the signing keys dsk O, dsk P and sk T P should be able to determine elements of templates, which have not so far been revealed through instantiations. Subsequently, the security definitions are discussed in more detail. Correctness For a blank digital signature scheme the usual correctness properties are required to hold, i.e., genuinely signed templates and message signatures are accepted. Furthermore, we require template signatures to be sound, i.e., the originator commits to exactly one template by creating a template signature. Signature correctness: For any key pairs (dsk O, dpk O ) DKeyGen(κ) and (dsk P, dpk P ) DKeyGen(κ), any BDSS parameters pp KeyGen(κ, t), any template T and any honestly computed template signature σ T = Sign(T, pp, dsk O, dpk P ), we require that the verification holds. Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true Signature soundness: For any key pairs (dsk O, dpk O ) DKeyGen(κ) and (dsk P, dpk P ) DKeyGen(κ), any BDSS parameters pp KeyGen(κ, t), any template T and any honestly computed template signature σ T = Sign(T, pp, dsk O, dpk P ),

9 we require that for any (sk T P, T ) (skp T, T ) the probability that the verification Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true holds is negligibly small as a function of the security parameter κ. Instantiation correctness: For any key pairs (dsk O, dpk O ) DKeyGen(κ) and (dsk P, dpk P ) DKeyGen(κ), any BDSS parameters pp KeyGen(κ, t), any template T, any honestly computed signature σ T and corresponding sk T P such that any honestly computed message signature we require that the verification holds. Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true, σ M = Inst(T, M, σ T, pp, sk T P, dsk P ), Verify M (M, σ M, pp, dpk P, dpk O ) = true Definition 10 (Correctness). A BDSS is correct if it satisfies signature correctness, signature soundness and instantiation correctness. Unforgeability Unforgeability in the context of blank digital signatures resembles the notion of (existential) unforgeability against adaptive chosen message attacks (UF-CMA) in classic digital signature schemes. We adapt the classical notion to our setting in Game 1. Unforgeability is a protection against attacks mounted by parties not having access to any secret information. Here, the adversary obtains the public keys from the challenger in the setup phase. In the query phase, A has access to two signing oracles, a template signing and a message signing oracle. Definition 11 (Unforgeability). A BDSS is called unforgeable, if for any polynomial-time algorithm A the probability of winning Game 1 is negligible as a function of security parameter κ. Immutability Immutability guarantees that no malicious proxy can compute signatures for templates or template instantiations not intended by the signer. Immutability is similar to unforgeability, but, in contrast to unforgeability, immutability deals with malicious insiders (proxies). The immutability game, as stated in Game 2, differs only slightly from the unforgeability game. Here, the adversary additionally obtains dsk P from the challenger in the setup phase. In the query phase, A has access to two signing oracles, where the template signing oracle additionally returns the corresponding private key sk T i P. In this game, A wins if he outputs valid forgeries of type T1, T2 or M1, M2b. Definition 12 (Immutability). A BDSS is called immutable, if for any polynomial-time algorithm A the probability of winning Game 2 is negligible as a function of security parameter κ. Privacy Privacy captures that any verifier except for the originator and the proxy, which is given a signature for a template instantiation M of a non-trivial template T, can not gain any information about M and thereby learn about T. This means that even if all but one choice of a single exchangeable element has been revealed no verifier should be able to gain complete knowledge of T. This is formalized in Game 3. Definition 13 (Privacy). A BDSS is called private, if for any polynomial-time algorithm A the probability of winning Game 3 is negligibly close to 1/2 as a function of security parameter κ and unconditionally private, if for any computationally unbounded algorithm A the probability of winning Game 3 is 1/2.

10 Setup: The challenger C runs KeyGen(κ, t) to obtain pp. Furthermore, C runs DKeyGen(κ) of a secure digital signature scheme twice to generate (dsk O, dpk O ) and (dsk P, dpk P ). It gives the adversary A the resulting public parameters and keys pp, dpk O and dpk P and keeps the private keys dsk O and dsk P to itself. Query: The adversary A has access to a template signing oracle O T and access to a message signing oracle O M. Both oracles are simulated by the challenger C. On receiving a template signing query T i, C checks whether such a query has already been issued. If so, C retrieves (T i, sk T i P, σt ) and returns i σt. Otherwise, C runs Sign(Ti, pp, dsk i O, dpk P ), returns σ Ti and stores the so obtained (T i, sk T i P, σt ). i On receiving a message signing query (T i, M ij ), C checks, whether a template signing query for T i has already been made and whether M i,j T i. If not, C returns. Otherwise, C checks whether the query (T i, M ij ) has already been made. If so, C retrieves (T i, M ij, σ Mij ) and returns σ Mij. If not, C retrieves (T i, sk T i P, σt ), runs Inst(Ti, i Mi, j σt, pp, i skt i P, dsk P), returns σ Mij tuple (T i, M ij, σ Mij ). and stores the All of these queries can be made adaptively. Output: The adversary A outputs either a triple (T, σ T, sk T P ) or a pair (M, σ M ). A wins if either T1 Verify T (T, σ Ti, pp, dpk O, sk T i P, dpk P) = true, where T is an unqueried template and sk T i P, and σt i correspond to one queried template T i, T2 Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true for some unqueried template T with corresponding unqueried sk T P, and σ T, M1 Verify M(M, σ Mij, pp, dpk P, dpk O ) = true, where M M ij is an unqueried message and σ Mij corresponds to an already queried M ij T i, or M2 Verify M(M, σ M, pp, dpk P, dpk O ) = true for some unqueried message M from template signature σ Ti for some previously queried template T i, such that either (a) M T i, or (b) M T i. Game 1: Unforgeability Game Security Now, we can define what constitutes a secure blank digital signature scheme. Definition 14 (Security). We call a BDSS secure, if it is correct, unforgeable, immutable and (unconditionally) private. 6 Construction In this section we detail our construction and prove its security, i.e., we show that our presented construction is correct, unforgeable, immutable and private. 6.1 Intuition Before we present the detailed construction, we provide some intuition in order to make our design choices comprehensible. As already noted, we use standard digital signatures, such as ECDSA [9], as a building block assuming the respective signature keys to be available to every participant in an authentic fashion. Note that this requires the availability of public key infrastructures, which are, however, commonly used in practice today. In our construction, DSS signatures provide authenticity of template and message signatures. As already discussed in Section 5, we use polynomials to represent templates and template instantiations. The intuition is that the originator commits to a template polynomial. By construction every allowed template instantiation is represented by a message encoding polynomial that perfectly divides the template polynomial. A proxy can now commit to a message polynomial, by computing and signing a commitment to the complementary message encoding polynomial. However, he can not choose arbitrary divisors of the template polynomial, as the indexes of message elements

11 Setup: The challenger C runs KeyGen(κ, t) to obtain pp. Furthermore, C runs DKeyGen(κ) of a secure digital signature scheme twice to generate (dsk O, dpk O ) and (dsk P, dpk P ). It gives the adversary A the resulting public parameters and keys pp, dpk O and dpk P as well as dsk P and keeps the private key dsk O to itself. Query: The adversary A has access to a template signing oracle O T and access to a message signing oracle O M. Both oracles are simulated by the challenger C. On receiving a template signing query T i, C checks whether such a query has already been issued. If so, C retrieves (T i, sk T i P, σt ) and returns i (skt i P, σt ). Otherwise, C runs Sign(Ti, pp, dsk i O, dpk P ), returns (sk T i P, σt ) and stores the so obtained (Ti, i skt i P, σt ). i On receiving a message signing query (T i, M ij ), C checks, whether a template signing query for T i has already been made and whether M i,j T i. If not, C returns. Otherwise, C checks whether the query (T i, M ij ) has already been made. If so, C retrieves (T i, M ij, σ Mij ) and returns σ Mij. If not, C retrieves (T i, sk T i P, σt ), runs Inst(Ti, i Mi, j σt, pp, i skt i P, dsk P), returns σ Mij tuple (T i, M ij, σ Mij ). and stores the All of these queries can be made adaptively. Output: The adversary A outputs either a triple (T, σ T, sk T P ) or a pair (M, σ M ). A wins if either T1 Verify T (T, σ Ti, pp, dpk O, sk T i P, dpk P) = true, where T is an unqueried template and sk T i P, and σt i correspond to one queried template T i, T2 Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true for some unqueried template T with corresponding unqueried sk T P, and σ T, M1 Verify M(M, σ Mij, pp, dpk P, dpk O ) = true, where M M ij is an unqueried message and σ Mij corresponds to an already queried M ij T i, or M2 Verify M(M, σ M, pp, dpk P, dpk O ) = true for some unqueried message M from template signature σ Ti for some previously queried template T i, such that (b) M T i. Game 2: Immutability Game are incorporated into the encoding and the length of the message, i.e., the degree of the message polynomial, is fixed by the originator. In the verification, the verifier computes a commitment to the message polynomial and checks whether the computed commitment and the commitment given by the proxy relate to the commitment given by the originator. We need a trusted third party, as the originator should not know the value α. Otherwise, he could exchange the template polynomial after signature generation for another polynomial having the same evaluation at the point α. Note that in the context of polynomial commitments the setup must always be run by a trusted third party, as otherwise these commitments represent trapdoor commitments, i.e., the knowledge of α allows to open the commitment to arbitrary polynomials. We use polynomial commitments of the form C = ρ f(α)p for some random value ρ R Z p to hide the committed polynomials. This provides unconditional hiding of unknown factors of f(x) as long as ρ stays unknown. 6.2 Scheme In Scheme 1, we present the detailed construction of our proposed BDSS. Moreover, in Protocol 1, we illustrate a typical scenario for the interaction of the originator, the proxy and the verifier. We note that Scheme 1 can easily be turned into a scheme using asymmetric pairings giving flexibility in the choice of curves and pairings as well as improved efficiency. In case of Type-2 pairings there are only minor modifications necessary, as there is an efficiently computable isomorphism between G 1 and G 2, whereas in the Type-3 setting this comes at the costs of doubling the size of pp. This is because the values αp,..., α t P G 1 also need to be mapped to elements of group G 2, i.e., we need to put the additional points P, αp,..., α t P G 2 into pp, where P is a generator of G 2.

12 Setup: The challenger C runs KeyGen(κ, t) to obtain pp. Furthermore, C runs DKeyGen(κ) of a secure digital signature scheme twice to generate (dsk O, dpk O ) and (dsk P, dpk P ). It gives the adversary A the resulting public parameters and keys pp, dpk O and dpk P and keeps the private keys dsk O and dsk P to itself. Query 1: The adversary A has access to a template signing oracle O T and access to a message signing oracle O M. Both oracles are simulated by the challenger C. On receiving a template signing query T i, C checks whether such a query has already been issued. If so, C retrieves (T i, sk T i P, σt ) and returns i (skt i P, σt ). Otherwise, C runs Sign(Ti, pp, dsk i O, dpk P ), returns (sk T i P, σt ) and stores the so obtained (Ti, i skt i P, σt ). i On receiving a message signing query (T i, M ij ), C checks, whether a template signing query for T i has already been made and whether M i,j T i. If not, C returns. Otherwise, C checks whether the query (T i, M ij ) has already been made. If so, C retrieves (T i, M ij, σ Mij ) and returns σ Mij. If not, C retrieves (T i, sk T i P, σt ), runs Inst(Ti, i Mi, j σt, pp, i skt i P, dsk P), returns σ Mij tuple (T i, M ij, σ Mij ). and stores the All of these queries can be made adaptively. Challenge: At some point A signals C that he is ready to be challenged by choosing two unqueried, distinct templates T 0 and T 1 of sizes less than t, which are shaped in such a way that from both templates k equal instantiations M 1,..., M k can be derived, and sending them to C. Then, C signs these two templates, stores the tuples (sk T 0 P, σ T 0 1 ), (skt P, σ T 1 ) and returns the corresponding template signatures σ T 0 and σ T 1 in a randomly permuted order to A. Query 2: The adversary A is allowed to issue an arbitrary number of queries as in query phase 1, excluding templates T 0 and T 1. Additionally, A can send instantiation queries for M l with 1 l k to an additional oracle O M, which is simulated by C. On receiving such a query M l, C checks whether M l T 0 and M l T 1. If not, C return. Otherwise, C checks whether such a query has already been made. If so, C retrieves (M l, σ M 0l, σ M 1l ) and returns σ M 0l and σ M 1l in a randomly permuted order. If not, C retrieves (sk T b ), runs Inst(T b, M b l, σ T P, σ T b P returns σ M 0l and σ M 1l in a randomly permuted order. b, pp, sk T All of these queries can be made adaptively. Output: The adversary A outputs (T b, σ Tb ) and wins if b = b. b Game 3: Privacy Game, dsk P) for b = 0, 1, stores (M l, σ M 0l, σ M 1l ) and 6.3 Comparison to the Naive Approaches Recall that the first naive approach given in Section 2.1 would require the originator to produce one signature for every possible template instantiation. Let us look at the above example, where we have 20 fixed elements and 25 exchangeable elements with 5 choices each. Note that this is an absolutely reasonable example, which is far from being overstated. Then, the originator would have to compute signatures, which is obviously impractical. The second naive approach we have mentioned is the use of Merkle hash trees to reduce the number of signatures that need to be computed by the originator at the expense of higher computational costs and an increased size of the signature. This means that the originator needs to build a complete binary tree, where the number of leaves equals the number of possible template instantiations. Furthermore, each leaf would need to include a random string as additional input to the hash function in order to hide the instantiations from a verifier as it is done in redactable signatures [11]. In our above example, the number of leaves would then be In order to build the hash tree, the originator would need to perform one hash evaluation per node in the tree. Note that for a complete binary tree with n leaves there would be at most 2n 1 nodes in the tree. For our above example, this would yield at most hash evaluations and the same number of PRF evaluations to randomize the tree (see [11] for more details on how to compute the random strings using a PRF). Although the verification of a signature for an instantiation in this construction would be quite efficient, as it can be carried in logarithmic time in the number of possible instantiations,

13 KeyGen: On input (κ, t), choose an elliptic curve E(F q) with a subgroup of large prime order p generated by P E(F q)[p], such that the bitlength of p is κ. Choose a pairing e : E(F q)[p] E(F q)[p] F q [p] and k a full-domain cryptographic hash function H : {0, 1} Z p for use with the encoding functions. Pick α R Z p, compute (αp,..., α t P ) and output pp = (H, E(F q), e, p, P, αp,..., α t P ). Sign: Given T, pp, dsk O and dpk P, where T is a template of size T = l and length n with l > n, this algorithm picks a unique id T R {0, 1} κ, computes t T = t(t ) Z p[x], picks a secret ρ R Z p and computes C = e(ρ t T (α)p, P ) and τ = DSign(id T C n dpk P, dsk O ) and returns the template signature σ T = (id T, C, n, τ) as well as sk T P = ρ. Verify T : Given T, σ T, pp, dpk O, sk T P and dpk P, where T is a template of size T = l and length n with l > n, this algorithm checks whether T t. If not, it returns false. Otherwise, it computes t T = t(t ) and checks whether DVerify(τ, id T C n dpk P, dpk O ) = true e(ρ t T (α)p, P ) = C. If so, return true and false otherwise. Inst: Given T, M, σ T, pp, sk T P and dsk P, where T is a template of size T = l and length n with l > n, this algorithm computes m M = m T (M) Z p[x]. Then, it computes C M = ρ m M (α)p and µ = DSign(τ C M I, dsk P ). It returns σ M = (µ, C M, I, σ T ). Verify M: Given M, σ M = (µ, C M, I = ( M i ) n i=1, σ T ), pp, dpk P and dpk O this algorithm verifies whether DVerify(τ, id T C n dpk P, dpk O ) = true DVerify(µ, τ C M I, dpk P ) = true n I = n M i = M On failure return false, otherwise evaluate m M = m T (M) and check whether On success return true and false otherwise. i=1 e(m M(α)P, C M ) = C Scheme 1: Blank Digital Signature Scheme the Sign, Verify T and Inst algorithms all require the computation of the full hash tree rendering this approach impractical. We emphasize that in our approach the signature size stays constant, regardless of the number of possible template instantiations. This is due to the fact that the template polynomial, whose degree grows only linearly in the template size, is mapped to a point on the curve, which is further mapped to a field element and then hashed. Notice that in our construction, the computational effort is independent of the number of potential template instantiation. Instead, it grows only linearly with the template size, i.e., with the number and the cardinality of exchangeable elements and the number of fixed elements. 6.4 Security Subsequently, we investigate the security of our construction in the proposed security model by considering all the required security properties. Theorem 1. Assuming the existence of secure hash functions and that the t-sdh assumption holds in E(F q ), Scheme 1 is correct with respect to Definition 10. Proof. See Appendix A.1. Theorem 2. Assuming the existence of secure hash functions and secure digital signature schemes and that the t-sdh assumption holds in E(F q ), Scheme 1 is unforgeable with respect to Definition 11.

14 We assume that the originator as well as the proxy both own an authentic key pair for a secure digital signature scheme (dsk O, dpk O ) and (dsk P, dpk P ), respectively. Setup T : The trusted third party T chooses a suitable security parameter κ and a value t N representing the maximum template length, runs KeyGen(κ, t) and publishes pp in an authentic fashion. Issue O : O defines a message template T, runs Sign(T, pp, dsk O, dpk P ) and gives σ T = (id T, C, n, τ) as well as sk T P to P. Issue P : P runs Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) to check whether σ T is a valid signature for T issued by O. On success, P, on behalf of O, defines a template instantiation M T and runs Inst(T, M, σ T, pp, sk T P, dsk P ) and publishes (M, σ M). Verify: Anybody in possession of the public keys can now take (M, σ M) and run Verify M(M, σ M, pp, dpk P, dpk O ) to check whether σ M is a valid signature for M issued by O and P. Protocol 1: Blank Digital Signature Protocol Proof. See Appendix A.2. Theorem 3. Assuming the existence of secure hash functions and secure digital signature schemes and that the t-sdh assumption holds in E(F q ), Scheme 1 is immutable with respect to Definition 12. Proof. See Appendix A.3. Theorem 4. Scheme 1 is unconditionally private with respect to Definition 13. Proof. See Appendix A.4. Taking Theorem 1-Theorem 4 together, we obtain the following corollary. Corollary 1. Scheme 1 is a secure BDSS. 7 Conclusions In this paper we have introduced a new notion of digital signatures, namely so-called blank digital signatures. We have provided the abstract scheme, a security model and a concrete construction of such a scheme from any secure digital signature scheme, pairing-friendly elliptic curves and polynomial commitments. Moreover, we have proven the security of our construction and have given several use cases, such as delegated contract signing. 7.1 Future Work Since blank digital signatures are a novel concept, there are several open issues for future work, which we outline subsequently. One issue for future work is to get rid of the trusted third party for key generation. Furthermore, it would be desirable to generalize the blank digital signature scheme and its security model to multiple designated proxies, which seems to be straight-forward by inclusion of multiple proxy signature verification keys into the template signature. However, in this naive construction every proxy and every verifier can determine the set of designated proxies. This may not be desirable in practice, whereas to achieve this goal does not seem to be that straight-forward. Another issue is to find alternative designated constructions for blank signatures potentially without relying on standard digital signature schemes. Additionally, it would be desirable to prove the security of our construction under weaker assumptions and to impose further restrictions on allowed template instantiations, i.e., to further limit the allowed combinations of choices over all exchangeable elements of templates. Also, allowing blank fields, which can be substituted with arbitrary strings, would be desirable. Finally, it may be interesting to investigate concepts applied in the construction of blank digital signatures in the proxy signature setting.

15 8 Acknowledgements We would like to thank Jiangtao Li for his many valuable suggestions for improving the presentation of this paper. The work of both authors has been supported by the European Commission through project FP7-FutureID, grant agreement number References 1. Ateniese, G., Chou, D.H., de Medeiros, B., Tsudik, G.: Sanitizable Signatures. In: ESORICS. LNCS, vol. 3679, pp Springer (2005) 2. Benaloh, J.C., de Mare, M.: One-way accumulators: A decentralized alternative to digital sinatures (extended abstract). In: Advances in Cryptology - EUROCRYPT 93. Lecture Notes in Computer Science, vol. 765, pp (1993) 3. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), (1970) 4. Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. IACR Cryptology eprint Archive 2003, 96 (2003) 5. Boldyreva, A., Palacio, A., Warinschi, B.: Secure Proxy Signature Schemes for Delegation of Signing Rights. J. Cryptology 25(1), (2012) 6. Brzuska, C., Pöhls, H.C., Samelin, K.: Non-interactive public accountability for sanitizable signatures. In: Proc. of the 9th European PKI Workshop: Research and Applications (EuroPKI 2012). LNCS, Springer-Verlag (2012) 7. Canard, S., Jambert, A.: On Extended Sanitizable Signature Schemes. In: Topics in Cryptology - CT- RSA LNCS, vol. 5985, pp (2010) 8. Chatterjee, S., Menezes, A.: On cryptographic protocols employing asymmetric pairings - the role of ψ revisited. Discrete Applied Mathematics 159(13), (2011) 9. Gallagher, P., Furlani, C.: FIPS PUB federal information processing standards publication digital signature standard (dss) (2009) 10. Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen- Message Attacks. SIAM J. Comput. 17(2), (1988) 11. Johnson, R., Molnar, D., Song, D.X., Wagner, D.: Homomorphic Signature Schemes. In: Topics in Cryptology - CT-RSA LNCS, vol. 2271, pp (2002) 12. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Advances in Cryptology - ASIACRYPT pp (2010) 13. Klonowski, M., Lauks, A.: Extended sanitizable signatures. In: ICISC. pp (2006) 14. Mambo, M., Usuda, K., Okamoto, E.: Proxy Signatures for Delegating Signing Operation. In: ACM Conference on Computer and Communications Security (CCS 1996). pp (1996) 15. Merkle, R.C.: A digital signature based on a conventional encryption function. In: CRYPTO. pp (1987) 16. Samelin, K., Poehls, H.C., Posegga, J., de Meer, H.: Redactable vs. Sanitizable Signatures. Tech. Rep. Number MIP-1208, Department of Informatics and Mathematics, University of Passau (2012) 17. Schuldt, J.C.N., Matsuura, K., Paterson, K.G.: Proxy Signatures Secure Against Proxy Key Exposure. In: 11th International Workshop on Practice and Theory in Public-Key (PKC 2008). LNCS, vol. 4939, pp (2008) 18. Silverman, J.: The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, vol Springer (1986) 19. Steinfeld, R., Bull, L., Zheng, Y.: Content Extraction Signatures. In: ICISC LNCS, vol. 2288, pp Springer (2001) A Proofs This section contains the proofs of Theorem 1-Theorem 4.

16 A.1 Proof of Theorem 1 We show the signature correctness and soundness as well as the instantiation correctness, where we omit showing that the DSS verification as well as the signature verification and message signature verification work, since they are clear from the construction. What remains to show is the signature soundness. Note that for a given template signature σ T for template T the commitment C of the template encoding polynomial is fixed. Consequently, breaking the signature soundness requires finding (sk T P, T ) (skt P, T ) such that C = C. This requires either collisions in the hash function H used in the encoding functions, finding second preimages in H or breaking the polynomial binding of the construction. If an adversary A is able to attack the latter case, then we can construct an efficient adversary B, which uses A to solve the t-sdh problem in E(F q ). B gets input an instance (P, αp,..., α t P ) of the t-sdh problem. Then B runs DKeyGen twice to produce DSS key pairs for the originator and the proxy, sets up the public parameters pp = (H, E(F q ), e, p, P, αp,..., α t P ) and gives pp and the DSS key pairs to A. If A is able to win the game by outputting a template signature σ T to T as well as (sk T P = ρ, T ) and (sk T P = ρ, T ) with (sk T P, T ) (skt P, T ) such that Verify T (T, σ T, pp, dpk O, sk T P, dpk P ) = true, then holds. This implies that e(ρ t(α)p, P ) = e(ρ t (α)p, P ) e(p, P ) ρt(α) = e(p, P ) ρ t (α) e(p, P ) ρt(α) ρ t (α) = 1. Hence, α is a root of the polynomial t (X) = ρt(x) ρ t (X). As factoring of t (X) yields α, B can 1 efficiently obtain α and by choosing c R Z p \ { α}, B can output a solution (c, α+c ) of the t-sdh problem in E(F q ). A.2 Proof of Theorem 2 The proof consists of two parts. The first part covers unforgeability of template signatures, whereas the second part covers the unforgeability of message signatures. Both parts consist of two cases covering the reuse of queried signatures and existential forgeries of signatures, as detailed in Section 5.3. In the following, let q and q i be the number of template queries and the number of instantiation queries for template T i with 1 i q issued by A. Case T1. This case covers the infeasability of finding some T T i for all previously queried T i such that T verifies under some queried template signature σ Ti. If A was able to win the game by finding - with non-negligible probability - a T T i for all 1 i q such that C i = e(ρ t T (α)p, P ), for some 1 i q, then A has found a template T T i with deg(t T ) t such that either 1. t Ti (X) = t T (X), or 2. t Ti (X) t T (X) and t Ti (α) = t T (α) holds. Note that both cases are disjoint. In case one, A has found second preimages in H with non-negligible probability. More precisely, sk T P and σ T i are fixed. If A is able to generate a T T i with t Ti (X) = t T (X) with non-negligible probability, then it must have found second preimages in H with non-negligible probability for l i roots of t(t i ), whereas the suffix of each preimage must be of the form id T j and only the value of M is arbitrary.

17 In the second case, A must have found T T i such that t Ti (α) = t T (α), i.e., the template encoding polynomials need to have the same evaluation at the unknown point α, for some 1 i q. Then we can construct an adversary B that breaks the t-sdh problem in E(F q ). The reduction is identical to the reduction in the proof of signature soundness in Appendix A.1 with the only exception that we have ρ = ρ i. Case T2. This case covers the infeasability of computing a valid signature σ T for some T giving C, which differs from all previously queried template signatures. If A is able to win the game by finding a pair (T, σ T ) (T i, σ Ti ) for all 1 i q such that DVerify(τ, id T C n dpk P, dpk O ) = true then A must be able to forge signatures of the digital signature scheme DSS under dsk O. Case M1. This case covers the infeasability of finding some M M ij for all previously queried such that M verifies under some issued message signature σ Mij, i.e., M ij Verify M (M, σ Mij, pp, dpk P, dpk O ) = true. In particular, in order to win the game, A must be able to find M such that either 1. m Mij (X) = m M (X), or 2. m Mij (X) m M (X) and m Mij (α) = m M (α) holds. Note that both cases are disjoint. In the first case, A needs to find - with non-negligible probability - an M M ij for all 1 i q and 1 j q i such that M = M ij deg(m M ) = n e(c M, C Mij ) = C i for some 1 i q and 1 j q i. Since all values in the verification relation are fixed due to µ, the only way for A to output an M that passes the signature verification for an existing signature, is to find an M such that m M (X) = m Mij (X) and M = M ij. A can do so by computing second preimages in H, i.e., H(M l id Ti l) = H(M ijl id Ti l) for all n roots of the polynomial m Mij, whereas the suffix of each preimage must be of the form id Ti l and only the value of Ml is arbitrary. In the second case, we show that if A is able to come up with such a forgery, then we can construct an adversary B against the t-sdh assumption in E(F q ). Adversary B works as follows. B obtains an instance (P, αp,..., α t P ) to the t-sdh problem in E(F q ), sets pp = (H, E(F q ), e, p, P, αp,..., α t P ) and gives pp and the DSS public keys of the originator and proxy to A. When A wins the game by delivering such a forged M, we know that: e(c M, C Mij ) = e(c Mij, C Mij ) e(c M C Mij, C Mij ) = 1 As C Mij O with overwhelming probability, it follows that: m M (α)p = m Mij (α)p m M (α)p m Mij (α)p = O Consequently, α is a root of the polynomial m M (X) m Mij (X) Z p [X]. By factoring this polynomial, B can efficiently obtain α and solve the instance of the the t-sdh problem in E(F q ) given by pp by choosing c Z p \ { α} and outputting (c, 1 α+c P ).

18 Case M2. This case covers the infeasability of computing a valid signature σ M for some M, which differs from all previously queried signatures. A needs to find a pair (M, σ M ) (M ij, σ Mij ) for all 1 i q and 1 j q i such that Verify M (M, σ M, pp, dpk P, dpk O ) = true. In both cases M2a and M2b, this implies that A is able to forge DSS signatures under dsk P. A.3 Proof of Theorem 3 Case T1. The proof for this case is analogous to the proof in Appendix A.2 with the exception that A knows the proxy private keys corresponding to all templates. Therefore, the reduction is identical to the one in the proof of signatures soundness in Appendix A.1. Case T2. The proof for this case is analogous to the one in Appendix A.2, since A has exactly the same knowledge as in the previous proof. Case M1. The proof for this case is analogous to the proof in Appendix A.2. Case M2b. This case covers the infeasability of existentially forging signatures for messages, which are not instantiations of a template. Firstly, we show that if A is able to find an M such that M T i for all 1 i q and σ M σ Mij for all 1 j q i and Verify M (M, σ M, pp, dpk P, dpk O ) = true, then we can construct an efficient adversary B against the t-sdh assumption in E(F q ). Finding such an M implies that A has found a polynomial m M such that m M does not perfectly divide t Ti, i.e., t Ti = m M m M + ξ with ξ 0. Adversary B works as follows. B obtains an instance (P, αp,..., α t P ) to the t-sdh problem in E(F q ), sets pp = (H, E(F q ), e, p, P, αp ) and gives pp and the respective DSS keys to A. B simulates A s queries as in the original game. If A wins the game by returning (M = M 0, σ M = (µ, C M, I = ( M i )n i=1, σ T i ), T i ), then B computes m M = m Ti (M ) and t Ti = t(t i ). As we have e(c M, C M ) = C, C M must have the form C M = ρ i (m M (α) + ξ(α) m M (α) )P. By dividing t T i (X) through m M (X), B obtains m M (X) and ξ(x). From this B can compute m M (α)p. Since B knows ρ i from the query phase, it can now compute ρ 1 i C M m M (α)p = ξ(α) m M (α) P. As deg(t Ti ) = 1 and deg(m M ) = 1, we have deg(ξ) = 0, i.e., ξ(x) = ω Z p. Therefore, we obtain and B can now compute ξ(α) m M (α) P = ω α H(M 0 id T 1) P 1 ω ω α H(M 0 id T 1) P = 1 α H(M 0 id T 1) P 1 which gives a solution ( H(M 0 id T 1), α H(M 0 id T 1) P ) to the t-sdh problem in E(F q). It is immediate that the success probability of B is only negligibly smaller than that of A, due to the possibility that it could happen that α = H(M 0 id T 1), and the time required is only a small constant larger than that of B. Secondly, another strategy, A can follow is to use non-intended perfect divisors of t Ti, i.e., constructing an M such that deg(m M ) n and/or the elements of M are not consecutive with respect to the order defined by template T i. However, the degree n of all valid message polynomials as well as the index values i in the message encoding are fixed by the originator. Thus, the verification can never be satisfied. In the latter case, A would additionally be required to compute second preimages for at least one of the unintended factors.

19 A.4 Proof of Theorem 4 The strategy for this proof is as follows. When receiving the template signatures for the challenged templates T 0 and T 1, there is no a priori link between the templates and their signatures as they are returned in a randomly permuted order. Since the template ids are randomly chosen, both templates are of the same length n and the proxy public keys are equal, all boils down to deciding correspondence between templates and signatures by inspecting the commitments C 0 and C 1 contained in the template signatures σ T 0 and σ T 1. Analogously, all values in the message signatures of an instantiation M l, except for the commitments to the complementary message polynomials and the comprised template signatures, are identical. Latter allows the linking of queried message and template signatures and constructing two lists of commitments (C 0, C,..., C ) and (C M 0 M 1, C,..., C ), 1 0 M k 1 M 1 1 k where we assume w.l.o.g that A has queried all k instantiations. Consequently, the only strategy A can follow to gain an advantage over guessing, is to base its decision upon these two lists. What remains to show is that A has no advantage in winning the game, when using this information, which means that A s success probability for winning the game is exactly 1/2. We do so by showing that all elements in the above two lists unconditionally hide the respective encoding polynomials. Let T be a template allowing s instantiations and C = e(ρ t T (α)p, P ) be the commitment to its template encoding polynomial. W.l.o.g. we assume that let s 1 message signatures have been issued and the corresponding commitments to the complementary message encoding polynomials C M1,..., C Ms 1 are known. Nevertheless, this implies that one monomial factor (X γ) in the template encoding polynomial of T remains unknown. It also implies that (X γ) is an unknown factor of all complementary message encoding polynomials in the commitments C Mi = ρ m Mi (α)p for i = 1,..., s 1. The only unkown values in C (and in all other commitments), for which we demand C O, are ρ and γ. For all these commitments, there are, however, exactly p 1 valid pairs (γ, ρ) (Z p) 2. Consequently, all these commitments unconditionally hide the encoding polynomials. (Note that also in case of a constrained set of a < p possible values for γ - which would for instance be the case if we are dealing with a constrained message space - the hiding is still unconditional, as there are a equally likely pairs of possible values.)